Skip to main content

Oracle Universal Work Queue CVE-2026-46966

| EUVDEUVD-2026-37277 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
7.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

HTTP-reachable EBS endpoint (AV:N), requires a valid low-privileged EBS account (PR:L), non-trivial preconditions for success (AC:H), no user interaction, and full takeover of the UWQ module (C:H/I:H/A:H, S:U).

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:48 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Takeover of Oracle Universal Work Queue is possible in Oracle E-Business Suite versions 12.2.3 through 12.2.15 via the Work Provider Site Level Administration component, where a low-privileged attacker with HTTP network access can fully compromise confidentiality, integrity, and availability of the module. Oracle classifies the issue as difficult to exploit (AC:H), and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged EBS account
Delivery
Reach UWQ HTTP endpoint
Exploit
Craft Work Provider Site Level admin request
Execution
Satisfy high-complexity precondition
Persist
Exploit administration flaw
Impact
Take over Universal Work Queue module

Vulnerability AssessmentAI

Exploitation Requires (1) network reachability to the Oracle E-Business Suite HTTP tier serving the Oracle Universal Work Queue Work Provider Site Level Administration component, (2) a valid low-privileged EBS application account (PR:L - not anonymous), and (3) an EBS 12.2 instance running an affected UWQ version in the 12.2.3-12.2.15 range with UWQ deployed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H yields a 7.5 base score, driven by full CIA impact but tempered by high attack complexity and a required low-privileged account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained any low-privileged EBS application account (for example through phishing a help-desk user or reusing leaked credentials) authenticates to the EBS web tier and sends a crafted HTTP request to the Work Provider Site Level Administration function of UWQ, abusing the flaw to escalate within the module and take it over. Because AC is High, the attacker must satisfy non-trivial preconditions (specific configuration state, timing, or input crafting) before the exploit succeeds, and no public exploit identified at time of analysis means an attacker would need to derive the technique from the patch.
Remediation Patch available per vendor advisory: apply the Oracle Critical Patch Update of June 2026 fixes for E-Business Suite 12.2.3-12.2.15 as documented at https://www.oracle.com/security-alerts/cspujun2026.html, using the specific UWQ patch identifiers listed in the CPU patch availability matrix for your EBS release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Oracle E-Business Suite instances running versions 12.2.3-12.2.15 and assess whether the Work Provider Site Level Administration component is active and network-accessible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46966 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy